URL:
https://github.com/SSSD/sssd/pull/275
Author: akamensky
Title: #275: Implement access verification by rhost using ldap_access_order rhost option
Action: opened
PR body:
"""
TL;DR - this is to implement functionality similar to both of `sshd_config:AllowUsers` and
of `PAM's own rhost verification`.
This was asked in IRC and [mailing
list](https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedor...
(with little follow up in both). The reasoning behind implementation can be seen in linked
mailing list thread.
Current PR provides basic functionality of comparing rhost (from pam) with values stored
in LDAP. To enable this set `ldap_access_order = rhost` and `ldap_user_authorized_rhost =
<ldap_field_name| default: rhost>` in sssd.conf.
It _currently*_ provides similar rule evaluation as currently it works for host based
authentication.
TODO:
- [ ] Finalize logic of using DNS/rDNS for rules validation (currently working on basic
idea how it should work - any help here?)
- [ ] Implement use of DNS/rDNS (with optional switch to enable/disable)
- [ ] Documentation
- [ ] Test coverage (didn't see test coverage for host auth, so is it needed?)
"""
To pull the PR as Git branch:
git remote add ghsssd
https://github.com/SSSD/sssd
git fetch ghsssd pull/275/head:pr275
git checkout pr275